Vulnerable are JW Player 5.9.2156 (and 5.9.2206, except one vulnerability) and previous versions. Tested in 5.7.1896, 5.9.2156 and 5.9.2206. Only some of these vulnerabilities exist in 3.x and previous versions.

In version 5.9.2206 developers have fixed first XSS hole from bellow-mentioned.

----------
Details:
----------

Content Spoofing (WASC-12):

In parameter file there can be set as video, as audio files.

Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site.

Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml.

http://http://site/jwplayer.swf?config=1.xml

1.xml

<config>
<file>1.flv</file>
<image>1.jpg</image>
</config>

Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile, which allows to spoof content of flash - i.e. by setting address of playlist file from other site (parameters media:content and media:thumbnail in xml-file accept arbitrary addresses). For loading of playlist file from other site it needs to have crossdomain.xml.

If at the site at page with jwplayer.swf (player.swf) there is possibility (via HTML Injection) to include JS code with callback-function, and there are 19 such functions in total, then it's possible to conduct XSS attack. I.e. JS-callbacks can be used for XSS attack.

By Google's information, there are 99600 + 7610000 = 7709600 (in May) of such flash files in Internet. This is approximate data and not all of the player.swf are swf-files of JW Player, but taking into account that this is very popular flash application, which is used as standalone, as a part of different web applications (CMS), and Google could indexed only 10% of its swf-files, then we receive tens millions of vulnerable swf-files of JW Player in Internet.

------------
Timeline:
------------

2012.05.25 - found vulnerabilities during pentest (in version 5.7.1896 and tested in the last version from official site). Some of CS vulnerabilities had existed in 3.x version of the player and I knew about them since 2008, when first time saw JW Player.
2012.05.28 - announced at my site.
2012.05.29 - informed developers.
2012.05.29 - developers answered that most holes should be fixed in version 5.9.2206 (in trunk).
2012.05.31 - after checking, I've informed developers that in trunk only one XSS are fixed. Then they answered that they were planning to fix all other vulnerabilities in upcoming 6.0 version of the player.
2012.06.06 - disclosed at my site (http://websecurity.com.ua/5848/).